My Perspective on the OCC’s Testimony and What It Signals for the Future of Operational Risk

Dec 16, 2025

Ashwin Nayak

White text reading "REIMAGINING RISK MANAGEMENT" with a subtitle reading "FOCUS ON OPERATIONAL RISK RESILIENCE" on a deep blue background

After reviewing the Comptroller’s recent testimony, I found myself reflecting on what this moment really represents for financial institutions. The OCC’s push to simplify regulation, strengthen supervisory consistency, and encourage responsible innovation is encouraging, but it also underscores a deeper truth: regulatory relief alone won’t solve the operational challenges that have built up inside many organizations.

For years, banks have modernized customer-facing technology without making the same investments in the operational backbone that supports risk, data, and controls. As a result, the complexity they face today is as much internal as it is regulatory, making this a pivotal moment for institutions to reassess how they define, manage, and operationalize risk across the enterprise.

Evaluating Agency Priorities through an Operational Risk Lens

Jonathan V. Gould, Comptroller of the Office of the Comptroller of the Currency, delivered written testimony to the Committee on Financial Services of the United States House of Representatives on December 2, 2025. His statement outlines how the OCC plans to modernize regulation and support responsible innovation in banking. The full statement is available here: https://www.occ.treas.gov/news-issuances/congressional-testimony/2025/ct-occ-2025-117-written.pdf

OCC’s Strategic Direction and Regulatory Simplification

Auditrol supports the OCC’s strategic commitment to streamlining regulatory requirements and strengthening the regulatory framework to make it simpler, more robust, and accountable. The agency intends to remove unnecessary supervisory clutter and return to supervision rooted in law, with greater reliance on examiner judgment and consistent enforcement standards.

At the same time, it is critical to examine why complexity built up inside institutions. Banks are expected to define and manage their risk profiles for business and operational decision making. It’s an expectation that regulators share. In practice, many institutions struggled to coordinate financial, compliance, and operational risks across line of business.

The rise of advanced technologies such as AI, tokenized assets, and new payment mechanisms including payment stablecoins has intensified this complexity. Many banks have modernized customer facing capabilities without making the same level of investment in operational infrastructure. As a result, some institutions adopted short term remediation measures such as outsourcing risk management programs to third party vendors, relying on technology teams to draft business controls, separating business risk managers from technology functions, or depending heavily on personnel in global competency centers to execute core risk activities.

These are internal structural challenges. Reducing external supervisory requirements will not resolve them without corresponding modernization within institutions.

Material Financial Risk, Capital Rules, and Operational Execution

The Comptroller highlights ongoing work with interagency partners to repropose the Basel III capital rule and improve capital standards, including the Enhanced Supplementary Leverage Ratio and the Community Bank Leverage Ratio. The goal is to safeguard the system while making the framework simpler, stronger, and more accountable, including targeted burden relief for community institutions.

The capital standards depend on accurate, repeatable, and explainable calculations. Banks need operational maturity and a platform centric, data driven approach to risk management to support that outcome. That includes:

Well defined algorithms and calculation rules for capital, leverage, and risk weighted assets
Automated computation and persistence of results with full audit trails
Monitoring of statistical variance and trend behavior over time
A robust data architecture that supports validation at the variable and aggregate levels

Without this level of operational discipline, institutions risk misreporting capital adequacy and inviting heightened supervisory attention. The OCC’s push for a simpler but more rigorous capital framework increases the urgency on reliable data architecture, models, and controls in day-to-day operations.

Enforcement Standards and Matters Requiring Attention (MRA)

The Comptroller states that enforcement must be proportionate and predictable and that the OCC is codifying reforms to the Matters Requiring Attention (MRA) process. These reforms aim to clarify enforcement standards and ensure that supervisory tools are used consistently.

In our experience, MRAs often arise when banks cannot demonstrate consistent and reliable reporting of core banking processes and how they operate within risk tolerances. That includes areas such as credit underwriting, consumer compliance, privacy, complaints, security, and regulatory reporting. Institutions should address these gaps in a systematic and sustainable way rather than waiting for the finalization of supervisory reforms.

From an industry perspective, it would be helpful if expectations for MRAs reflected not only the nature of the issue, but also institutions’ asset size, complexity, and product offerings. Traditional banks and Neobanks may have similar asset sizes, but they present different risk profiles and impacts to the industry. This is my perspective and not a stated OCC position.

Innovation, Stablecoins, and AI

The testimony emphasizes that innovation has always shaped American finance and that the federal banking system must remain dynamic, competitive, and fair. The OCC describes its work to implement the GENIUS Act and safely integrate payment stablecoins into the regulated banking system. It also highlights the need to provide all OCC supervised banks a path to use new technologies, including AI, rather than confining these capabilities to a privileged few.

In parallel, the OCC is modernizing its own operations with technology, data, and AI to deliver more efficient supervision and lower assessment fees, which ultimately benefits banks and their customers.

I see strong alignment between this agenda and a business led approach to AI, Stablecoin payment, and tokenized asset innovation. Banks can embrace the new technologies by building risk resilience such as:

Tie directly to business processes
Increase adoption by building platform-centric and auditable risk management capabilities
Embed controls to scale assessment inside workflows.
Focus on risk observability across business processes as opposed to technology centric.

Conclusion

The OCC is working to restore a balance of prudence and progress in the federal banking system. Banks now have a window to reimagine their business processes around clear risk ownership, strong data foundations, and responsible use of AI and digital assets. Institutions that use this period to strengthen operational maturity will be better positioned to meet supervisory expectations, support their customers, and compete in a more dynamic financial system.

I expect the financial services sector to undergo a level of transformation over the next five years that will exceed the pace and scale of change seen in the past half century.